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Claims 

11. A network storage architecture supporting securely controlled access and 

2 transfer of data between a client computer system and a network data store, said 

3 network storage architecture comprising: 

4 a) an agent program, executed on a client computer system, operative with 

5 respect to an application program, executable by said client computer system to 

6 access a network data store, to develop authentication data with respect to said 

7 application program; and 

8 b) a network appliance, coupleable through a communications network to 

9 said client computer system, interoperable with said agent program to receive and 

10 validate said authentication data, said network appliance providing a response 

1 1 message to said agent program to control execution of said application program. 

1 2. The network storage architecture of Claim 1 wherein said authentication 

2 data includes user and session data. 

1 3. The network storage architecture of Claim 2 wherein said authentication 

2 data includes a secure signature of said application program. 

1 4. The network storage architecture of Claim 1 wherein said agent program 

2 is operative to obtain user authentication and collect data with respect to user 

3 sessions and processes to develop said authentication data. 
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1 5. The network storage architecture of Claim 4 wherein said agent program 

2 is further operative to generate a secure signature of said application program 

3 and provide said secure signature as part of said authentication data. 

1 6. The network storage architecture of Claim 1 wherein said network 

2 appliance includes a policy parser operative to evaluate said authentication data 

3 and a policy data store including predetermined policy data accessible by said 

4 policy parser. 

1 7. The network storage architecture of Claim 6 wherein said predetermined 

2 policy data, as evaluated by said policy parser, is determinative of said response 

3 message. 

1 8. A network storage architecture supporting securely controlled access and 

2 transfer of data between a client computer system and a network data store, said 

3 network storage architecture comprising: 

4 a) an agent program, executed on a client computer system, responsive to 

5 a source file request issued with respect to a network data store by an application 

6 program executed by said client computer system, said agent program being 

7 operative to develop authentication data with respect to said application program 

8 and to provide a file request message including a representation of said source 

9 file request and said authentication data; and 

10 b) a network appliance, coupleable through a communications network to 

1 1 said client computer system and responsive to said file request message, said 

1 2 network appliance including a policy parser operative to evaluate said file request 
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13 message and a policy data store including predetermined policy data accessible 

1 4 by said policy parser, said network appliance, responsive to the evaluation of said 

15 file request message, enabling performance of said source file request with 

1 6 respect to said network data store. 

1 9. The network storage architecture of Claim 8 wherein said authentication 

2 data includes an authenticated identification of a user associated with said 

3 application program. 

1 10. The network storage architecture of Claim 9 wherein said authentication 

2 data includes user session and context data. 

1 11. The network storage architecture of Claim 1 0 wherein said authentication 

2 data includes a secure signature of said application program. 

1 12. The network storage architecture of Claim 8 wherein said network 

2 appliance enables the generation of a modified file request corresponding to said 

3 source file request and directed to said network data store. 

1 13. The network storage architecture of Claim 12 further comprising a first 

2 communications network through which said file request message is received by 

3 said network appliance and a second communications network through which 

4 said modified file request is provided to said network data store. 



Attorney Docket No.: AESN3008 

gbr/aesn/3008conl .000. utility, wpd 



n /1 2/2003 



- 50 - 

1 14. The network storage architecture of Claim 13 wherein said network 

2 appliance includes an encryption unit and wherein said network appliance further 

3 provides for the cipher processing of file data transferred in connection with said 

4 modified file request. 

1 15. The network storage architecture of Claim 14 wherein said policy data 

2 store further provides for the storage of an encryption key identifier determinable 

3 by said policy parser on evaluation of said file request message and wherein said 

4 network appliance obtains an encryption key identified by said encryption key 

5 identifier for use in the cipher processing of file data transferred in connection with 

6 said modified file request. 

1 1 6. The network storage architecture of Claim 1 5 wherein said authentication 

2 data includes a process identifier, corresponding to said application program as 

3 executed on said client computer system, a verified user identifier, and a group 

4 identifier, and wherein said policy parser is operative to qualify said file request 

5 message against said predetermined policy data with respect to said process 

6 identifier, verified user identifier, and group identifier. 

1 17. A method of securing access by a client computer system to file data stored 

2 on a storage device accessible by said client computer system, said method 

3 comprising the steps of: 

4 a) intercepting, by a first program as executed on a client computer system, 

5 a data transfer request issued by a second program, as executed oh said client 
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6 computer system, directed to o dote file stored by a client accessible file data 

7 store; 

8 b) first processing, by said first program, said data transfer request to 

9 associate authentication data with said data transfer request; 

10 c) evaluating, by a security appliance coupled to said client computer 

11 system through a communications network, said data transfer request, said 

12 authentication data, and access control data corresponding to said data file to 

13 qualify said data transfer request; and 

14 d) second processing to selectively enable said data transfer request to 

15 proceed relative to said data file dependent on the qualification of said data 

1 6 transfer request. 

1 1 8. The method of Claim 1 7 wherein said authentication data includes process 

2 and context identification information. 

1 19. The method of Claim 17 wherein said authentication data includes a 

2 verified user identifier and a process identifier. 

1 20. The method of Claim 17 wherein said authentication data includes a 

2 verified user identifier, a process identifier, a group identifier. 

1 21. The method of Claim 17 wherein said data transfer request specifies a 

2 data range of file data and wherein said second processing step includes the step 

3 of modifying said data range to accommodate block encryption of file data within 

4 said data file. 



Attorney Docket No.: AESN3008 

gbr/aesn/3008con 1 .OOO.utility.wpd 



11/12/2003 



-52- 



1 22. The method of Claim 17 wherein said step of evaluating associates 

2 encryption control data with said data transfer request and wherein said second 

3 processing step, responsive to said encryption control data, includes cipher 

4 processing of file data transferred in connection with said data transfer request. 

1 23. The method of Claim 22 further comprising the steps of: 

2 a) first transferring said data transfer request to said security appliance 

3 through a first communications network; and 

4 b) second transferring said data transfer request relative to said client 

5 accessible file data store through a second communications network. 

1 24. The method of Claim 23 wherein, through said first and second 

2 transferring steps, said security appliance is established a network portal through 

3 which network file accesses are routed between said client computer system and 

4 said client accessible file data store. 

1 25. A method of securing file access operations by a client computer system 

2 made with respect to a client accessible file data store, said method comprising 

3 the steps of: 

4 a) intercepting, by a first program executing on a client computer system, 

5 file operation requests issued by a second program, as executing on said client 

6 computer system, wherein said file operation requests are issued with respect to 

7 files stored in a filesystem accessible by said client computer system; 
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8 b) determining, by said first program relative to a predetermined file 

9 operation request, authentication data for said second program, wherein said 

10 authentication data includes user and process identification data arid a 

1 1 representation of said predetermined file operation request; and 

1 2 c) enabling, by a security appliance responsive to said authentication data, 

1 3 said predetermined file operation request v/ith respect to a file identified by said 

1 4 predetermined file operation request, wherein said enabling step is dependent on 

15 qualification, by said securityappliance,of said authentication data against policy 

16 data defining operation permissions relative to said file. 

1 26. The method of Claim 25 further comprising the steps of: 

2 a) associating an encryption key with said predetermined file operation 

3 request determined from the qualification of said authentication data against said 

4 policy data; and 

5 b) cipher processing, using said encryption key, file data transferred relative 

6 to said file. 

1 27. The method of Claim 26 wherein said step of cipher processing includes 

2 modifying the specification of said predetermined file operation request to 

3 accommodate encryption of file data transferred relative to said file. 

1 28. The method of Claim 27 wherein said step of cipher processing is 

2 performed on said security appliance. 
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1 29. The method of Claim 28 wherein said authentication data includes a 

2 verified user identification and a login process identification. 

1 30. A security appliance for securing access by client computer systems to 

2 persistently stored data files, said security appliance comprising: 

3 a) a processor coupleable to a client computer system to receive an access 

4 request message, wherein said access request message includes authentication 

5 data and an identification of a file operation directed to an identified data fije 

6 stored in a persistent data file store; and 

7 b) a policy data store, accessible by said processor, providing for the 

8 storage of predetermined file operation qualifiers applicable to data files present 

9 in said persistent data file store, wherein said policy data store is maintained 

1 0 secure by said processor with respect to said client computer system, and wherein 

1 1 said processor is operative to selectively enable said file operation dependent on 

1 2 an evaluation of said predetermined file operation qualifiers with respect to said 

1 3 access request message. 

1 31. The security appliance of Claim 30 wherein said authentication data 

2 includes a verified user identifier and a group identifier and wherein said 

3 processor is operative to discriminate said verified user identifiers, said group 

4 identifier, said file operation and said identified data file against said 

5 predetermined file operation qualifiers to obtain said evaluation. 

1 32. The security appliance of Claim 31 wherein said policy data store further 

2 provides for the storage of encryption keys in association with said predetermined 
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3 file operation qualifiers and wherein said processor is operative to retrieve a 

4 predetermined encryption key from said policy data store dependent on said 

5 evaluation. 

1 33. The security appliance of Claim 32 wherein said processor, responsive to 

2 said evaluation, is further operative to provide for said file operation to be passed 

3 to said persistent data file store. 

1 34. The security appliance of Claim 33 wherein said processor, responsive to 

2 said evaluation, is further operative to modify a specification of said file operation 

3 to accommodate the transfer of encrypted data in connection with the 

4 performance of said file operation with respect to said identified data file. 

1 35. The security appliance of Claim 34 wherein said processor includes an 

2 encryption engine operative to process encrypted data transferred with respect to 

3 said identified data file. 
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